Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.
  • 18 November 2016 08:26

CyberArk Labs: Exploiting Domain-Level Service Credentials

Attackers with Local Administrator Rights Can Harvest Encrypted Service Credentials to Achieve Lateral Movement and Full Domain Compromise

Sydney, 18 November 2016 – CyberArk (NASDAQ: CYBR) today unveiled new research from CyberArk Labs ( detailing what it considers to be a significant risk across all Windows endpoints, including those on Windows 10 with Credential Guard enabled. The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.

Microsoft Credential Guard was introduced to mitigate the risk of lateral movement using compromised credentials, yet Credential Guard does not protect domain-level user and service credentials equally. Despite being encrypted, domain-level service credentials remain in the registry, at risk of compromise by attackers who have obtained local administrator privileges on an infected endpoint (

Similar in concept to Pass-the-Hash ( attacks, if fully exploited, cyber attackers could compromise and reuse an encrypted service credential – without ever needing to decrypt it – to move laterally through the organisation and ultimately be able to gain access to a domain controller.

From Stolen Credential to Domain Compromise

In a proof of concept, CyberArk Lab researchers were able to demonstrate that attackers with local administrator access on a single user’s machine could compromise domain-level service credentials and reuse them in encrypted form to achieve lateral movement and full domain compromise, even when Credential Guard is enabled. CyberArk’s testing showed that an attacker with local administrator access would not have to use malware to execute this type of attack, and by exploiting this risk, an attacker could gain full ownership of the entire domain in just minutes.

“This research is important to help organisations understand that not all credentials are protected equally, and further, encrypted credentials are not necessarily secure,” said Kobi Ben Naim, senior director of cyber research, CyberArk Labs. “By better understanding the risks associated with credential theft, organizations can prioritise mitigation strategies, starting on the endpoint.”

To learn more, including the specific attack methodology and mitigation strategies for domain-level service credential exploits, read the full CyberArk Labs report, “Stealing Service Credentials to Achieve Full Domain Compromise (”

Research from CyberArk Labs focuses on targeted attacks against organizational networks – the methods, tools and techniques employed by cyber attackers, as well as methods and techniques to detect and mitigate such attacks.

About CyberArk

CyberArk is the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges to attack the heart of the enterprise. Dedicated to stopping attacks before they stop business, CyberArk proactively secures against cyber threats before attacks can escalate and do irreparable damage. The company is trusted by the world’s leading companies – including 45 percent of the Fortune 100 – to protect their highest value information assets, infrastructure and applications. A global company, CyberArk is headquartered in Petach Tikvah, Israel, with U.S. headquarters located in Newton, Mass. The company also has offices throughout EMEA and Asia Pacific and Japan. To learn more about CyberArk, visit, read the company blog (, follow on Twitter @CyberArk, or Facebook at:

# # #

Copyright © 2016 CyberArk Software. All Rights Reserved. Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other brand names, product names, or trademarks belong to their respective holders.

Submit a media release

Editor's Recommendations

Brand Page


View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release